redline | 49025966d2dd612fc1e423b01620debfd4c97701aefe26a836cea9e2f2d6ab47

Analysis

max time kernel
43s
max time network
114s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe
Size

1.0MB
MD5

d6109df4ffa4303e3c30ba997735b689
SHA1

65ac8413b14d7ccb6c848e849caa0de7900116ee
SHA256

49025966d2dd612fc1e423b01620debfd4c97701aefe26a836cea9e2f2d6ab47
SHA512

5e735b12e77ab991c9d54b701645268579f154573aa8a04d8bf2cdb5ed59d3a8ede9f5e55cbce848cd5323fa1e6b3950d12ec5bb7a0bebb403d3711979e1cc8b

Score

10^/10

redline 1111 discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

1111

65.21.144.202:62942

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3980-128-0x0000000000590000-0x00000000005AC000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

Immobilita.exe.comImmobilita.exe.comRegAsm.exe

pid process

3948 Immobilita.exe.com
3736 Immobilita.exe.com
3980 RegAsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

Immobilita.exe.com

description pid process target process

PID 3736 set thread context of 3980 3736 Immobilita.exe.com RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

212 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exe

pid process

3980 RegAsm.exe
3980 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3980 RegAsm.exe

pid	process
3948	Immobilita.exe.com
3736	Immobilita.exe.com
3980	RegAsm.exe

description	pid	process	target process
PID 3736 set thread context of 3980	3736	Immobilita.exe.com	RegAsm.exe

pid	process
212	PING.EXE

pid	process
3980	RegAsm.exe
3980	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3980	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

49025966d2dd612fc1e423b01620debfd4c97701aefe2.execmd.execmd.exeImmobilita.exe.comImmobilita.exe.com

description	pid	process	target process
PID 3724 wrote to memory of 2440	3724	49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe	cmd.exe
PID 3724 wrote to memory of 2440	3724	49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe	cmd.exe
PID 3724 wrote to memory of 2440	3724	49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe	cmd.exe
PID 2440 wrote to memory of 2712	2440	cmd.exe	cmd.exe
PID 2440 wrote to memory of 2712	2440	cmd.exe	cmd.exe
PID 2440 wrote to memory of 2712	2440	cmd.exe	cmd.exe
PID 2712 wrote to memory of 4032	2712	cmd.exe	findstr.exe
PID 2712 wrote to memory of 4032	2712	cmd.exe	findstr.exe
PID 2712 wrote to memory of 4032	2712	cmd.exe	findstr.exe
PID 2712 wrote to memory of 3948	2712	cmd.exe	Immobilita.exe.com
PID 2712 wrote to memory of 3948	2712	cmd.exe	Immobilita.exe.com
PID 2712 wrote to memory of 3948	2712	cmd.exe	Immobilita.exe.com
PID 2712 wrote to memory of 212	2712	cmd.exe	PING.EXE
PID 2712 wrote to memory of 212	2712	cmd.exe	PING.EXE
PID 2712 wrote to memory of 212	2712	cmd.exe	PING.EXE
PID 3948 wrote to memory of 3736	3948	Immobilita.exe.com	Immobilita.exe.com
PID 3948 wrote to memory of 3736	3948	Immobilita.exe.com	Immobilita.exe.com
PID 3948 wrote to memory of 3736	3948	Immobilita.exe.com	Immobilita.exe.com
PID 3736 wrote to memory of 3980	3736	Immobilita.exe.com	RegAsm.exe
PID 3736 wrote to memory of 3980	3736	Immobilita.exe.com	RegAsm.exe
PID 3736 wrote to memory of 3980	3736	Immobilita.exe.com	RegAsm.exe
PID 3736 wrote to memory of 3980	3736	Immobilita.exe.com	RegAsm.exe
PID 3736 wrote to memory of 3980	3736	Immobilita.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe
"C:\Users\Admin\AppData\Local\Temp\49025966d2dd612fc1e423b01620debfd4c97701aefe2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Convertira.xls
2⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^UNkJJcORLwTPMDHRmEAwfHRFAGvpIPVddQfdtvAkCrkhWSsYbERcArMjWGpeZEpVyDnVgdMrrgnjcDIHfb$" Dio.xls
4⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Immobilita.exe.com
Immobilita.exe.com b
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Immobilita.exe.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Immobilita.exe.com b
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Convertira.xls
MD5
b6fe1919830526b2f145dbfaaf8bbd66

SHA1
9408d9dc170ede0ab5a501dc164c28380a2e48aa

SHA256
0025ce9c906e9b9a84c3e9d68a3121c6856da67edc8cea16b10ef9218498d332

SHA512
9ac79fc10424cd44797e22b8adf4b43b08d7b486506f5281d72d1eeeee982419f05dfc3ebb36bf2a97408a0a625c799220f135393cda8a98efb39d4d5320d010

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Dio.xls
MD5
06b3a22da0176b326cafbecd7dda8bfc

SHA1
348792a34a763cfd9fc68d3fe83b19c2c2390b7f

SHA256
4f3ca52bbbb2fc054e699afab593a83cbb71da61ca601485af91cf36322414a3

SHA512
d9d6fb6538022a3297c93d035c337eb97eb8aaa41900fd9d619651ebd95ef636bec20452026ed874d05574b46db9a56c26bdfd28986d5809196b6f371a50e06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Immobilita.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Immobilita.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Immobilita.exe.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ogni.xls
MD5
28f551194db598f16018a89c351a6474

SHA1
e850137b3768a6ffff6b98744dc7b28cc89c8637

SHA256
76d3560c419bce164302ea145785db80aea673e6de0d2fc256468172f76f15ac

SHA512
ef3828af026c43fe7d5493ef3781884e9810fbe6167d15be3944220bc7c3bc522a4857dd982cd025e695e7ac08c30dd32e28f1fe0df0716f660fca8869ac84b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Talvolta.xls
MD5
964f2c94f4664698a64e1862f122ec1c

SHA1
2bbc6562a2acb905c6b502df9f5d3f564c10f5a8

SHA256
0619d3881581a8ad577ce67a4e727ae4f18f7c2260bfab76cbe275ddaeaf066e

SHA512
f825afae56d552e5d884a27aca5f9ef88464620ba97d22de66634c76f5c15cde393f7897f8a48d8248c4df80674aeb9294bbe97bee94bad04c7cfef71eea38d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\b
MD5
28f551194db598f16018a89c351a6474

SHA1
e850137b3768a6ffff6b98744dc7b28cc89c8637

SHA256
76d3560c419bce164302ea145785db80aea673e6de0d2fc256468172f76f15ac

SHA512
ef3828af026c43fe7d5493ef3781884e9810fbe6167d15be3944220bc7c3bc522a4857dd982cd025e695e7ac08c30dd32e28f1fe0df0716f660fca8869ac84b5

Download Submit
memory/212-122-0x0000000000000000-mapping.dmp

Download
memory/2440-114-0x0000000000000000-mapping.dmp

Download
memory/2712-116-0x0000000000000000-mapping.dmp

Download
memory/3736-124-0x0000000000000000-mapping.dmp

Download
memory/3736-127-0x0000000001400000-0x00000000014BD000-memory.dmp

Filesize
756KB

Download
memory/3948-120-0x0000000000000000-mapping.dmp

Download
memory/3980-128-0x0000000000590000-0x00000000005AC000-memory.dmp

Filesize
112KB

Download
memory/3980-133-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3980-134-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3980-135-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/3980-136-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3980-137-0x0000000004970000-0x0000000004F76000-memory.dmp

Filesize
6.0MB

Download
memory/3980-138-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/3980-140-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/3980-141-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/3980-142-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download
memory/3980-143-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/3980-144-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/4032-117-0x0000000000000000-mapping.dmp

Download